How to use more than one group for LDAP authentication
765 views
Skip to first unread message
Sebastian Wenner
May 12, 2020, 3:37:16 AM5/12/20
to NetBox
Hi,
I'm trying to use LDAP beyond the standard config. LDAP is working fine for my installation with only one posixGroup so the basic stuff is sorted out ;)
Now to the tricky part:
We have two distinct posixGroups that I would like to add for the AUTH_LDAP_REQUIRE_GROUP_DN.
I tried the ldapseach syntax
--> (|(cn=ops-groups-1,ou=group,dc=bbbbbb,dc=aaaaaaa)(cn=ops-groups-2,ou=group,dc=bbbbbb,dc=aaaaaaa))
and the LDAPGroupQuery as described in the django-auth-ldap docs
--> (LDAPGroupQuery("cn=ops-groups-1,ou=group,dc=bbbbbb,dc=aaaaaaa") | LDAPGroupQuery("cn=ops-groups-2,ou=group,dc=bbbbbb,dc=aaaaaaa"))
All I was able to achieve was a
Caught LDAPError while authenticating xxxxxxx: INVALID_DN_SYNTAX({'desc': 'Invalid DN syntax', 'info': 'Invalid DN'})
Is there a way how to do this with posixGroups?
My LDAP config as below..
AUTH_LDAP_ATTR_LASTNAME=cn
AUTH_LDAP_ATTR_MAIL=mail
AUTH_LDAP_BIND_AS_AUTHENTICATING_USER=true
AUTH_LDAP_BIND_DN=cn=proxyagent_netbox,ou=profile,dc=bbbbbb,dc=aaaaaaa
AUTH_LDAP_BIND_PASSWORD=xxxxxxxxxxxxxxxxxx
AUTH_LDAP_GROUP_SEARCH_BASEDN=ou=group,dc=bbbbbb,dc=aaaaaaa
AUTH_LDAP_GROUP_SEARCH_CLASS=posixGroup
AUTH_LDAP_GROUP_TYPE=PosixGroupType
AUTH_LDAP_IS_ADMIN_DN=cn=cn=ops-manager,ou=group,dc=bbbbbb,dc=aaaaaaa
AUTH_LDAP_IS_SUPERUSER_DN=cn=ops-superuser,ou=group,dc=bbbbbb,dc=aaaaaaa
AUTH_LDAP_REQUIRE_GROUP_DN=(|(cn=ops-groups-1,ou=group,dc=bbbbbb,dc=aaaaaaa)(cn=ops-groups-2,ou=group,dc=bbbbbb,dc=aaaaaaa))
AUTH_LDAP_SERVER_URI=ldaps://ldap.xxxxxxxx.internal
AUTH_LDAP_USER_DN_TEMPLATE=cn=%(user)s,ou=people,dc=bbbbbb,dc=aaaaaaa
AUTH_LDAP_USER_SEARCH_ATTR=cn
AUTH_LDAP_USER_SEARCH_BASEDN=ou=people,dc=bbbbbb,dc=aaaaaaa
Thanks
Sebastian
Alexander Brusilov
May 12, 2020, 5:32:14 AM5/12/20
to Sebastian Wenner, NetBox
Hi,
in my case, something like that works good
AUTH_LDAP_REQUIRE_GROUP = (
(
LDAPGroupQuery("CN=xxx,OU=xxx,DC=xxx,DC=xxx") |
LDAPGroupQuery("CN=yyy,OU=yyy,DC=yyy,DC=yyy")
)
)
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": (
LDAPGroupQuery("CN=xxx,OU=xxx,DC=xxx,DC=xxx") |
LDAPGroupQuery("CN=yyy,OU=yyy,DC=yyy,DC=yyy")
),
...
in my case, something like that works good
AUTH_LDAP_REQUIRE_GROUP = (
(
LDAPGroupQuery("CN=xxx,OU=xxx,DC=xxx,DC=xxx") |
LDAPGroupQuery("CN=yyy,OU=yyy,DC=yyy,DC=yyy")
)
)
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": (
LDAPGroupQuery("CN=xxx,OU=xxx,DC=xxx,DC=xxx") |
LDAPGroupQuery("CN=yyy,OU=yyy,DC=yyy,DC=yyy")
),
...
вт, 12 мая 2020 г. в 10:37, Sebastian Wenner <wenners...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "NetBox" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netbox-discus...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/netbox-discuss/feba5a2e-ddd0-46b4-85a2-f21425f26ac2%40googlegroups.com.
Sebastian Wenner
May 13, 2020, 2:23:49 AM5/13/20
to NetBox
Hi Alexander,
thanks for the hint / confirmation.
I could make it work now if I hardwire it into the config yet I fail to load this via an K8s configmap.
But this seems to be related to the way the environment variable is parsed in the config file.
BR
Sebastian
Reply all
Reply to author
Forward
0 new messages